Data Privacy Notice

Last Updated: December 20, 2023

Why are you seeing this notice?

This Data Privacy Notice details important information regarding the collection, storage, use and disclosure of Personal Data (as defined below) of users of the OpenZeppelin websites and any other products, services, applications, tools, blogs, forums and/or materials offered from time to time by OpenZeppelin (collectively, the “Services”). OpenZeppelin provides this Data Privacy Notice to help you understand how your Personal Data is collected and used by us and your choices regarding our use of it. 

What is “Personal Data”?

Personal Data”, or personal information, means any information about an individual from which that person can be identified, or that is protected under applicable data protection legislation in any applicable jurisdiction. 

Your acceptance of this Data Privacy Notice

This Data Privacy Notice should be read in conjunction with our Terms of Service found at https://www.openzeppelin.com/tos. If you have not done so already, please also review our Terms of Service. The Terms of Service govern your use of the Services and contain provisions that limit our liability to you and require you to resolve any dispute with us on an individual basis and not as part of any class or representative action. By accessing any Services, you are also accepting and consenting to the information collection and use practices described in this Data Privacy Notice. IF YOU DO NOT AGREE WITH ANY PART OF THIS DATA PRIVACY NOTICE OR OUR TERMS OF SERVICE, THEN DO NOT ACCESS OR USE ANY OF THE SERVICES.

By using the Services, you agree that we can collect, store, use, disclose, and process your Personal Data as described in this Data Privacy Notice. 

Who is providing this notice?

The entity that provides the Services and that is responsible under this notice is Zeppelin Group Ltd, a company incorporated in England and Wales whose registered address is at 5 New Street Square, London EC4A 3TW (“OpenZeppelin”). Where we use the terms “we”, “us” and “our” in this Data Privacy Notice, we are referring to OpenZeppelin. OpenZeppelin is committed to protecting and respecting your privacy.

This notice and any other documents referred to in it sets out the basis on which any Personal Data we collect from you, or that you provide to us, will be processed by us.  When you provide us with your Personal Data, we act as a “data controller”.  In simple terms, this means that:

  • we control the Personal Data that you provide, including making sure that it is kept secure; and
  • we make certain decisions on how to use and protect your Personal Data, but only to the extent that we have informed you about the use or are otherwise permitted by law.

Changes to our Data Privacy Notice

While our values will not shift, the Services will evolve over time, and this Data Privacy Notice will change to reflect that evolution. If we make changes, we will notify you by revising the date at the top of this Data Privacy Notice. In some cases, if we make significant changes, we may give you additional notice (e.g. by emailing you or by adding a statement to our homepage). We encourage you to review this Data Privacy Notice periodically to stay informed about our practices. In all cases, your continued use of the Services after the posting of any modifications to this Data Privacy Notice indicates your acceptance of any modified terms. Any questions, comments or complaints that you might have should be emailed to legal@openzeppelin.com.

Please read the following carefully to understand our views and practices regarding your Personal Data and how we will treat it.

 

APPROPRIATE USE

Our Services are not intended for children and we do not knowingly collect data relating to children. If you are under the age of majority in your jurisdiction of residence, you may use the Services only with the consent of or under the supervision of your parent or legal guardian.

 

PERSONAL DATA WE COLLECT ABOUT YOU

The Personal Data collected about you will help us to provide better Services and facilitate our provision of our offerings to you. We may combine Personal Data that you provide us with Personal Data that we collected from, or about you, in some circumstances. 

Personal Data we collect may include:

  • Identity information, such as your name, username or similar identifier, title, and date of birth;
  • Contact information, such as your postal address, email address, and telephone number;
  • Information required to comply with anti-money laundering (AML) laws and know-your-customer (KYC) requirements, including passport and/or photo ID for identity verification purposes,  nationality and place of birth;
  • Profile information, such as your username, email, interests, preferences, feedback and survey responses;
  • Feedback and correspondence, such as information you provide when you receive support, participate in forums, conferences, communities, market research activities, surveys, or otherwise correspond with us;
  • Financial information, such as tax numbers, bank account information, your credit card information, or other payment details;
  • Transaction information, such as details about purchases and billing details;
  • Marketing information, such as your preferences for receiving marketing or other communications and details about how you engage with them;
  • Usage information, such as information about how you use the Services and interact with us;
  • Technical information, such as your IP address, blockchain address (e.g. a public Ethereum wallet address), application programming interface (API) keys and network information regarding blockchain and related transactions.

 

WHERE DO WE OBTAIN YOUR PERSONAL DATA?

We will collect and process Personal Data about you from a number of sources, including:

  • Personal Data you give us. This is information about you that you give us through the Services, or by corresponding with us through support channels, e-mail, Zoom, phone, social media, forums, blogs, or otherwise. The information you give us may include your name, address, e-mail address and phone number, financial and credit card information, personal description, personal documentation and photographs or other information you choose to share with us.
  • Personal Data you agree we may collect. You may agree to give us information relating to your use of the Services, which may include usage data and technical information (e.g. frequency of use of subcommands or other features utilized within the Services).
  • Personal Data we collect about you. We may automatically collect certain information about how you use certain Services (“Log Data”) that could constitute Personal Data. Log Data is used to administer the Services and to provide security and support for the Services. Log Data is retained for a maximum of 365 days, depending on the type of information and the subscription type. Log Data may include, without limitation, information such as:
    • technical information, including the IP address used to connect your device to the Internet, your device, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
    • information about your access to or use of the Services, including the full Uniform Resource Locators (URL), clickstream to, through and from our Services (including date and time), offerings you viewed, features used, downloaded or searched for, page response times, errors, length of visits to certain pages, interaction information (including scrolling, clicks, and mouse-overs), methods used to browse away from the page, API usage, UI usage, and transaction information and actions.
  • Personal Data we receive from other sources. We work with third parties (including, for example, software providers, business partners, sub-contractors in technical, payment and delivery services, analytics providers, search information providers) who may provide us information about you. We will combine this Personal Data with information you give to us and information we collect about you. 

 

COOKIE POLICY

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your login information. 

We use cookies, local storage, or similar technologies to distinguish you from other users of our Services and to administer the Services, analyze performance of the Services, and to gather information about our users as a whole. This helps us to provide you with a good experience when you access or use our Services and allows us to improve our Services. You can reject all non-essential cookies by choosing “Decline” or set your own preference under “Cookies settings”. Most web browsers are set to accept cookies by default, but you can usually set your browser to remove or reject browser cookies. If you do choose to remove or reject cookies, however, your ability to use the Services might be affected.

Cookie

Name

Purpose

Type

Duration

Google
Analytics

_ga

Performance;
Analytics

Not strictly necessary

2 years, unless earlier cleared by user 

Google
Analytics

_ga_N5QZL71CVK

Performance;
Analytics

Not strictly necessary

1 week or earlier cleared by user whichever comes first

AWS CloudWatch RUM

cwr_s

Performance;
Analytics

Not strictly necessary

30 day

AWS CloudWatch RUM

cwr_u

Performance;
Analytics

Not strictly necessary

30 day

Hubspot

hs_c2l

Authentication/Performance;
Analytics

First Party

6 months

Hubspot

hubspotapi

Authentication/Performance;
Analytics

First Party

5 minutes

Cloudflare

__cf_bm

Bot management;
Analytics

Not strictly necessary

30 minutes

Cloudflare

__cfruid

Security; Rate limiting

Strictly necessary

Session

Cloudflare

_cfuvid

Security; Rate limiting

Strictly necessary

Session

Stripe

__stripe_mid

Payment;
Fraud prevention

Strictly necessary

1 year

Stripe

__stripe_sid

Payment;
Fraud prevention

Strictly vecessary

30 minutes

Hubspot

hubspotapi-csrf

preventing third party websites from accessing customer data/Performance;
Analytics

Strictly necessary

6 months

 

USES MADE OF THE INFORMATION

We only use your personal data where we are allowed to by law. We process your Personal Data for the following purposes:

  • It is necessary to perform our contract with you:
    • to provide you with the information, products, and services that you access or request from us and support related thereto;
    • to carry out our obligations arising from any contracts entered between you and us, including but not limited to under the Terms of Service; 
    • to process and complete your purchases, and send you related information, including order forms, purchase confirmations and invoices;
    • to facilitate the continuation or termination of the contractual relationship;
    • to notify you about changes to our products or services;
    • to create and send information, including confirmations, technical notices, updates, security alerts, support and administrative messages; and
    • to administer and facilitate any other transaction between you and us.
  • It is necessary for compliance with an applicable legal or regulatory obligation, for example:
    • to comply with lawful requests and legal process, such as to respond to subpoenas or requests from regulatory, governmental, tax, and law enforcement authorities;
    • to comply with an applicable legal or regulatory obligation to which we or the relevant third party is subject;
    • to carry out audit checks;
    • to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity; and
    • to comply with AML and KYC laws and requirements, including sanction regimes.
  • For our legitimate interests or those of a third party:
    • to provide you with information about other products and services we offer that are similar to those that you have already used, purchased or enquired about;
    • to administer the Services and enhance them by improving the features and functionality and tailoring it to our users’ needs and preferences;
    • to improve our Services and to ensure that content from our Services is presented in the most effective manner for you and for your computer or other device;
    • to administer our Services and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
    • to allow you to participate in interactive features of our products and services, when you choose to do so;
    • as part of our efforts to keep our Services safe and secure;
    • to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity;
    • to measure or understand the effectiveness of content we serve to you and others, and to deliver relevant content to you; and/or
    • to make suggestions and recommendations to you and other users of our Services about goods or services that may interest you or them.

We only rely on these interests where we have considered that, on balance, our legitimate interests are not overridden by your interests, fundamental rights or freedoms. Where relevant, we process your Personal Data for more than one lawful ground depending on the specific purpose for which we are using your data.

 

CONSENT AND YOUR RIGHT TO WITHDRAW IT

We do not generally rely on obtaining your consent to process your Personal Data. 

If we do, you have the right to ask us not to process your Personal Data at any time. You can also exercise the right at any time by contacting us at legal@openzeppelin.com.

 

DISCLOSURE OF YOUR PERSONAL DATA

We may disclose your Personal Data under the following circumstances:

  • for the purposes set out in this Data Privacy Notice;
  • to deliver the products and services you access or use;
  • to manage the relationship with you;
  • to comply with international laws and regulations, including responding to lawful requests and legal processes; 
  • in an emergency, to protect our employees and agents, our customers, or any other stakeholder;
  • to protect the rights and property of our users, other third parties, our agents, and us, including to enforce our agreements, policies and Terms of Service; and
  • to protect against security vulnerabilities, fraud and credit risk;

with:

  • any member of our group, which means respective employees, officers, directors, contractors, consultants, equity holders, suppliers, vendors, service providers, parent companies, subsidiaries, affiliates, agents, representatives, predecessors, successors, and assigns;
  • selected third parties who need it to do work for us, including business partners, vendors, suppliers, and sub-contractors, including without limitation our third-party cloud-based service providers (such as Github, Google Workspace, Hubspot, Slack and AWS);
  • if we sell or buy any business or assets, the prospective seller or buyer of such business or assets;
  • if OpenZeppelin or substantially all of its assets are acquired by a third party, in which case Personal Data held by us will be one of the transferred assets;
  • professional advisors and service providers, including our lawyers, auditors, consultants and other professional advisors; or
  • competent regulatory and other governmental agencies and litigation counterparties to comply with applicable legal and regulatory requirements.

We may also share aggregated and/or anonymized data with others for their own uses.

 

DO YOU HAVE TO PROVIDE US WITH PERSONAL DATA?

Unless otherwise indicated, you should assume that we require the Personal Data for business and/or compliance purposes.

Some of the Personal Data we request is necessary for us to provide the Services and if you do not wish to provide us with this Personal Data, it will affect our ability to provide our products or services to you.

 

INTERNATIONAL DATA TRANSFERS

You acknowledge that Personal Data we obtain from you may be processed by our affiliated companies and third-party partners and service providers, who may be based in countries outside of the United Kingdom or the European Economic Area (“EEA”), for the purposes of providing you the Services. In particular, our third-party cloud-based service providers (such as Github, Google Workspace, Hubspot, Slack and AWS) utilize data centers in the United States. Such countries may not currently have laws offering the same level of protection for personal data as those inside the United Kingdom or the EEA. However, where such transfers of data occur, we take steps to prevent the transfer of personal data without adequate safeguards being put in place, such as by entering into European Union Standard Contractual Clauses, also known as Model Clauses. We will ensure that Personal Data collected in the United Kingdom and the EEA and transferred internationally is afforded the same level of protection as it would be inside the United Kingdom or the EEA. For further information on the adequate safeguards adopted by us for the international transfer of personal data, please contact legal@openzeppelin.com.

 

RETENTION AND DELETION OF YOUR PERSONAL DATA

We keep your Personal Data for as long as it is required by us for our legitimate business purposes, to perform the Services and/or contractual obligations, for compliance with legal obligations, or where longer, such longer period as is required by law or regulatory obligations which apply to us. Some Personal Data will be retained after your relationship with us ends. As a general principle, we do not retain your Personal Data for longer than we need it. We will usually delete your Personal Data (at the latest) when there is no longer any legal or regulatory requirement or business purpose for retaining your Personal Data.

In some circumstances, we may anonymize and/or aggregate your Personal Data (so that it no longer can be associated with you), in which case we may use this information indefinitely without further notice to you.

 

SECURITY

OpenZeppelin has established a security program, as set out in the OpenZeppelin Trust Center found at https://trust.openzeppelin.com. However, the security of information transmitted through the internet and other technologies can never be guaranteed. We cannot guarantee the security of your Personal Data transmitted to our Services; any transmission is at your own risk. We are not responsible for any interception or interruption of any communications to the Services, or for changes to or losses of Personal Data. You are responsible for maintaining the security of any password, user ID or other form of authentication involved in obtaining access to the Services. 

 

AUTOMATED DECISION-MAKING

We will not take decisions producing legal effects concerning you, or otherwise significantly affecting you, based solely on automated processing of Personal Data, unless we have considered the proposed processing in a particular case and concluded in writing that it meets the requirements of UK and EEA data protection legislation and other applicable laws.

 

YOUR RIGHTS

We are the data controller responsible for your data. You have certain data protection rights, including:

  • the right to access your Personal Data;
  • the right to restrict the use of your Personal Data;
  • the right to have incomplete or inaccurate Personal Data corrected;
  • the right to ask us to stop processing your Personal Data; and
  • the right to require us to delete your Personal Data in some limited circumstances.

You also have the right in some circumstances to request for us to “port” your Personal Data in a portable, re-usable format to other organisations (where this is possible). 

You may exercise these rights by sending a request to legal@openzeppelin.com. We will aim to respond to all legitimate requests as soon as we reasonably can and in any event within 30 days. If we think that it will take us longer than 30 days, we’ll let you know why and keep you updated. Where you make any requests, we might ask for specific information to confirm your identity as a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. This might include asking for further information in relation to your request to be able to speed up our response.

 

THIRD PARTY LINKS

Our Services may, from time to time, contain links to and from the websites and services of partner networks, third-party services, social networks and affiliates (“Third-party Services”). If you access or use any Third-party Services, please note that these Third-party services have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you access, use or submit any personal data to these Third-party Services. The inclusion of Third-party Services in our Services or links to them does not imply that we endorse the practices of the Third-party Services.

 

CONCERNS OR QUERIES

We take your concerns very seriously. We encourage you to bring it to our attention if you have any concerns about our processing of your Personal Data.

This privacy notice was drafted with simplicity and clarity in mind. We are, of course, happy to provide any further information or explanation needed. Our contact details are below.

If you want to make a complaint, you can also contact the body regulating data protection in your country, where you live or work, or the location where the data protection issue arose.  In the UK, the data protection authority is the Information Commissioner’s Office (ICO). A list of the EU data protection authorities is available by clicking this link: https://ec.europa.eu/newsroom/article29/items/612080.

 

CONTACT

Please contact us if you have any questions about this privacy notice or the Personal Data we hold about you. Questions, comments and requests are welcomed and should be addressed to legal@openzeppelin.com.

 

NOTICE TO CALIFORNIA RESIDENTS

Under California Civil Code Section 1789.3, California users are entitled to the following consumer rights notice: California residents may reach the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs by mail at 1625 North Market Blvd., Sacramento, CA 95834, or by telephone at (916) 445-1254 or (800) 952-5210.

This section provides additional details about the personal information we collect about California consumers and the rights afforded to them under the California Consumer Privacy Act (“CCPA”).

For more details about the personal information we collect from you, please see the “PERSONAL DATA WE COLLECT ABOUT YOU” section above. We collect this information for the business and commercial purposes described in the “USES MADE OF THE INFORMATION” section above. We share this information with the categories of third parties described in the “DISCLOSURE OF YOUR PERSONAL DATA” section above. 

We do not sell (as such term is defined in the CCPA) the personal information we collect (and will not sell it without providing a right to opt out). 

Please refer to the “COOKIES POLICY” section above for more information regarding the types of third-party cookies, if any, that we use.

Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the categories or specific pieces of personal information we collect (including how we use and disclose this information), to delete their personal information, to opt out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights. California consumers may make a request pursuant to their rights under the CCPA by contacting us at legal@openzeppelin.com. Please note that you must verify your identity and request before further action is taken. As a part of this process, government identification may be required. Consistent with California law, you may designate an authorized agent to make a request on your behalf. In order to designate an authorized agent to make a request on your behalf, you must provide a valid power of attorney, the requester’s valid government issued identification, and the authorized agent’s valid government issued identification.